The dark side of search engines

The dark side of search engines

Summary: As a malware researcher, I spend the majority of my days days studying the dark side of the web and one of the most interesting things I get to see are the weird, and sometimes wonderful, search engine queries that result in dangerous Web sites.

SHARE:
5

* Ryan Naraine is on vacation. Guest Editorial by Roger Thompson

Roger ThompsonAs a malware researcher, I spend the majority of my days days studying the dark side of the web, (is that a good job or what?), and one of the most interesting things I get to see are the weird, and sometimes wonderful, search engine queries that result in dangerous Web sites.

Most people probably think that as long as they don't visit Web sites of ill-repute, they'll be quite safe, but that's not quite true. Yes, it's undoubtedly dangerous to walk on the virtual wild side, but we've noticed a disturbing trend towards hacking innocent websites, and turning them into unwitting lures for the exploit servers.

The first important trend is that, about a eighteen months ago, there was just one commercial package of web-based exploit software, WebAttacker. Today, WebAttacker is gone, it's developers unable to keep the pace, but replaced by at least three better-written competitors -- WebAttacker2/MPack, Neosploit, and at least one other that we don't have a name for yet.

[ ALSO SEE: Google’s anti-malware team comes out of the shadows ]

The second trend is that, about eighteen months ago, the perpetrators were probably equally divided between trying to install adware on the victim's computer, and trying to sell the victim a spyware remover to remove the spyware they just installed, along with other payloads such as keyloggers and backdoors for fun and profit. Today, the semi-innocent, arguably aggressive marketing has all but disappeared, and has been replaced by overtly criminal activity. They want your bank accounts, folks, and they're getting better at it all the time.

The third trend is that mass-defacements of websites seems to be being replaced by mass-infection of websites. Several tools are being sold which can probe massive numbers of websites, trying to inject iFrames that reach back to the exploit server, and thus result in innocent queries becoming dangerous searches.

Here are some examples of recent queries where the wrong choice results in an exploitive website:

"music without voice" -- if you make the wrong choice, you get a WebAttacker2-infected website

"famous cubists" -- wrong choice gets a WebAttacker2 "florida baptist churches" -- the wrong choice gets a website infected with an MDAC exploit

"court instruments" -- the wrong choice finds a Web site that links to a known rootkitter.

So what does the future hold?

The bad guys understand that while firewalls do a pretty good job of keeping out network worms, web browsers start from inside the firewall, and therefore create an instant tunnel right through the firewall.

I'm fairly confident that the mass infection tools will continue to improve, and the result of that will be more and more hacked innocent lures. They get cleaned up quite quickly but just as quickly others are hacked and take their place.

* Roger Thompson is an anti-virus industry veteran, having started one of the first anti virus companies in Australia in 1987. He is chief technical officer of Exploit Prevention Labs.

Topics: Malware, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Windows only

    One of the good things about being in the minority of computer users is nobody writes malware targeting BSD (which is famously dead, of course) or Apple.
    epcraig
    • Dangerous (and false) assertion there.

      [i]One of the good things about being in the minority of computer users is nobody writes malware targeting BSD (which is famously dead, of course) or Apple.[/i]

      Very dangerous and incorrect assertion there. There is indeed malware for OS X. It is relatively rare, yes, but it does exist. (OK, I'm not familiar enough with the xBSD scene to know if this is also true for that OS set, but I suspect it is or soon will be.) (xBSD: FreeBSD/NetBSD and related distros)
      Raymond Danner
  • Song lyrics too

    Searching for song lyrics is sure to yield many links to malware sites.
    BoisD'Arc
  • The dark side of search engines

    'The first important trend is that, about a eighteen months ago, there was just one commercial package of web-based exploit software, WebAttacker. Today, WebAttacker is gone, it?s developers...'

    its developers.
    it's=it is.
    --Glenn
    8]
    yes, this is obviously obsessive
    oregonnerd13
    • And it wasn't the only error.

      'The first important trend is that, about a eighteen months ago, there was just one commercial package of web-based exploit software, WebAttacker. Today, WebAttacker is gone, it?s developers...'

      The "a" in front of the "eighteen months" shouldn't be there. Why it is, I haven't a clue. (guess I'm obsessive, but I spot mistakes like this all the time. I'd mention the other, too, but it's already been caught.)
      Raymond Danner